A method of complete data loss for any user, like a registry.

[mattsmithies]

Problem description

There is an issue when updating user's profile that will result in the complete data loss connected to a user, this can be a particular issue where the user is a registry, and that it is connected to policy data that has not been exported.

In short, it seems that the keys and did connected to a user can be updated at any point in time, and there isn't any protection against this update.

There are a number of methods that this can transpire:

• Connected to #3525 a user may update their DID through this screen, as the access token has been expired. (my hypothesis is that this could be the cause for complaint of data loss during the Hackathon)
• Through the API, where after authorising as a particular user the "profile update" function can be triggered to generate new keys.

Attached is a video that demos the issue: https://www.loom.com/share/7e3176665d9a407a805c3b45e78083fa

Step to reproduce

Assume an initial state where:

• There is a registry with a did assigned
• The registry has imported a policy
• Acting upon the policy is not required

1. Authenticate as the registry user
2. Either, trigger the "DID not found screen" from #3525 or authenticate as registry through API.
3. Complete the initial set up flow for "pushing keys, tags, and fireblock data" to "profiles/push/$username".
4. Log in as registry on UI
5. See no policy

Expected behavior

If keys or DID is already present on an actor/user the "initial profile update" function should validate for that state and throw a valid status code.

Screenshots

See loom video above

[mattsmithies]

@anvabr @prernaadev01 @justin-atwell

[prernaadev01]

@mattsmithies Thank you so much for the ticket. We are looking at it asap. Will keep you posted on the progress.

[anvabr]

fixed in the 2.26.1 hotfix.